本エントリは This Week in 4n6 (FourAndSix=Forensics) で紹介された各記事の冒頭を表示し、チェックする記事をザッピングするために自動生成&投稿したものです。4n6 は こちら からご確認いただけます。
THREAT INTELLIGENCE/HUNTING
Keith Chew at Active Countermeasures
Adam at Hexacorn
Posted on 2023-12-14 by adam If you’ve been reading my blog for a while now you will know that I love to challenge my threat hunting game with a lot of err…. banalities. And not the banalities I can ignore, but a lot of these banalities that I eventually learn to embrace… if it sounds cryptic… You probably already know by now that things we often take for granted are not necessarily true, and today I am adding the ‘default installation path’ to that ‘fear, uncertainty, doubt’ list as well. The r...
Adam Goss
Adam Goss 11 December 2023 Cyber threat intelligence (CTI) can be hard. There are hundreds of terms flying around that, to the untrained, could mean almost anything. If you want to jump into this area of cyber security or gain more value from it, you need a clear understanding of what CTI analysts mean when they share threat intelligence with you. This is the first article in a whole series on CTI definitions and key concepts. The series is designed to be a reference guide for whenever you encou...
Jack Zalesskiy at Any.Run
December 12, 2023 Add comment 334 views 6 min read HomeCybersecurity LifehacksWhat are the most common methods cyber attackers use to infect a system with malware? Recent posts Streamline Malware Analysis with Automated Interactivity (ML) in ANY.RUN 1112 0 Malware Analysis Report in One Click 5859 0 What are the most common methods cyber attackers use to infect a system with malware? 334 0 HomeCybersecurity LifehacksWhat are the most common methods cyber attackers use to infect a system with mal...
Emma McGowan at Avast
Avast Threat Report shows humans are better targets that software Emma McGowan 14 Dec 2023 The latest Avast Threat Report identifies the most prominent targets for cybercrime—and it’s us. When you think of cybercriminals, you might conjure up a movie image of people working in dark rooms with complex spreads of monitors filled with lines and lines of code as they try to break through the security of remote systems. And while that has some slight relationship to the real world, Avast Threat Labs’...
Avast Threat Labs
Avertium
New Ransomware Strains - CACTUS and 3AM December 12, 2023 executive summary In January 2023, there was a significant 41% decrease in ransomware victim posting rates across all groups compared to December 2022, signaling an overall decline in ransomware activities. Despite this downturn, LockBit continued to be a dominant force in ransomware incidents, maintaining their position at the forefront of the threat landscape. Avertium's End of the Year Recap for 2022 already predicted a diminishing ret...
Eduardo Ortiz Pineda, Howard Irabor, Rodrigo Ferroni, and Scott Ward at AWS Security
by Eduardo Ortiz Pineda, Howard Irabor, Rodrigo Ferroni, and Scott Ward | on 15 DEC 2023 | in Advanced (300), Amazon GuardDuty, Security, Identity, & Compliance, Technical How-to | Permalink | Comments | Share Amazon GuardDuty is a threat detection service that continuously monitors your Amazon Web Services (AWS) accounts and workloads for malicious activity and delivers detailed security findings for visibility and remediation. GuardDuty Malware Protection helps detect the presence of malware b...
Silviu Stahie at Bitdefender
Silviu STAHIE December 12, 2023 Promo Protect all your devices, without slowing them down. Free 30-day trial South Korean authorities have accused North Korean threat actor 'Andariel' of stealing defense technology information from numerous companies, along with approximately $400,000 worth of cryptocurrency.North Korean hackers are often in the news due to their involvement in the cryptocurrency space and as ransomware operators. As a recent research report outlined, they've likely stolen up to...
Brad Duncan at Malware Traffic Analysis
2023-12-11 (MONDAY): INFECTION FROM BRAZIL PORTUGUESE MALSPAM (ASTAROTH/GUILDMA) REFERENCE: //www.linkedin.com/posts/unit42_malspam-guildma-astaroth-activity-7140451772770205696-t2d6/ //twitter.com/Unit42_Intel/status/1734686148289777666 ASSOCIATED FILES: 2023-12-11-IOCs-for-Astaroth-Guildma-activity.txt.zip 3.0 kB (3,027 bytes) 2023-12-11-Brazil-malspam-122359-UTC.eml.zip 2.4 kB (2,356 bytes) 2023-12-11-Astaroth-Guildma-infection-trafffic.pcap.zip 4.4 MB (4,424,215 bytes) 2023-12-11-Astaroth-Gu...
2023-12-13 (WEDNESDAY) - QUICK POST: TWO AGENTTESLA INFECTIONS (ONE FTP AND ONE SMTP) ASSOCIATED FILES: 2023-12-13-text-files-with-AgentTesla-IOCs.zip 2.2 kB (2,183 bytes) 2023-12-13-AgentTesla-emails-traffic-and-malware.zip 3.7 MB (3,668,988 bytes) Click here to return to the main page. Copyright © 2023 | Malware-Traffic-Analysis.net
2023-12-15 (FRIDAY): TA577 PIKABOT INFECTION REFERENCE: //www.linkedin.com/posts/unit42_ta577-pikabot-timelythreatintel-activity-7141526098479149056-6DCW //twitter.com/Unit42_Intel/status/1735760477391552670 ASSOCIATED FILES: 2023-12-15-IOCs-for-TA577-Pikabot-infection.txt.zip 1.6 kB (1,635 bytes) 2023-12-15-TA577-Pikabot-infection-traffic.pcap.zip 4.6 MB (4,623,013 bytes) 2023-12-15-TA577-Pikabot-malware-and-artifacts.zip 1.0 MB (1,041,340 bytes) Click here to return to the main page. Copyright...
BushidoToken
Get link Facebook Twitter Pinterest Email Other Apps - December 12, 2023 Introduction 2023 was packed with a multitude of significant events that caused many to rethink their entire security strategies, especially their vendors and their team size. Unfortunately, we saw thousands of layoffs in the technology sector, including cybersecurity teams. This is despite the unrelenting and omnipresent threat of an ever growing number of cyber adversaries. The Top 10 Cyber Threats of the year that I beli...
CERT-AGID
Sintesi riepilogativa delle campagne malevole nella settimana del 09 – 15 Dicembre 2023 15/12/2023 riepilogo In questa settimana, il CERT-AGID ha riscontrato ed analizzato, nello scenario italiano di suo riferimento un totale di 35 campagne malevole, di cui 34 con obiettivi italiani ed 1 generica che ha comunque interessato l’Italia, mettendo a disposizione dei suoi enti accreditati i relativi 775 indicatori di compromissione (IOC) individuati. Riportiamo in seguito il dettaglio delle tipologie ...
Check Point
Filter by: Select category Research (536) Security (879) Securing the Cloud (274) Harmony (143) Company and Culture (25) Innovation (6) Customer Stories (10) Horizon (2) Securing the Network (7) Partners (1) Connect SASE (10) Harmony Email (44) Artificial Intelligence (16) SecurityDecember 14, 2023 Unveiling the New Threats: Rhadamanthys v0.5.0 A Research Overview by Check Point Research (CPR) ByCheck Point Research Share Key Insights: · The Evolving Threat: The Rhadamanthys stealer, a multi-lay...
Yehuda Gelb at Checkmarx Security
Yehuda Gelb·FollowPublished incheckmarx-security·7 min read·4 days ago--ListenShareIn an era where digital warfare is as impactful, if not more so, than conventional warfare, North Korea has been consistently evolving its cyber-attack strategies, mainly focusing on supply chain compromises. Recent investigations have uncovered North Korean state-sponsored groups carrying out sophisticated supply chain attacks, leveraging various techniques to infiltrate organizations and compromise their softwar...
Yehuda Gelb·FollowPublished incheckmarx-security·5 min read·1 day ago--ListenShareIn an alarming development for the cryptocurrency community, the Ledger Connect Kit, a vital component in the decentralized application ecosystem owned by Ledger, a company that manages billions of dollars, has fallen victim to a sophisticated supply chain attack, resulting in the redirection of users’ crypto transactions to a wallet controlled by the attacker.Key FindingsNPM Account Takeover: Ledger Connect-Kit wa...
CISA
Release DateDecember 13, 2023 Alert CodeAA23-347A Related topics: Advanced Persistent Threats and Nation-State Actors, Cyber Threats and Advisories, Securing Networks SUMMARY The U.S. Federal Bureau of Investigation (FBI), U.S. Cybersecurity & Infrastructure Security Agency (CISA), U.S. National Security Agency (NSA), Polish Military Counterintelligence Service (SKW), CERT Polska (CERT.PL), and the UK’s National Cyber Security Centre (NCSC) assess Russian Foreign Intelligence Service (SVR) cyber...
Cisco’s Talos
By Jungsoo An, Asheer Malhotra, Vitor Ventura Monday, December 11, 2023 08:50 Threats RAT Cisco Talos recently discovered a new campaign conducted by the Lazarus Group we’re calling “Operation Blacksmith,” employing at least three new DLang-based malware families, two of which are remote access trojans (RATs), where one of these uses Telegram bots and channels as a medium of command and control (C2) communications. We track this Telegram-based RAT as “NineRAT” and the non-Telegram-based RAT as “...
By Jonathan Munshaw Thursday, December 14, 2023 14:00 Threat Source newsletter 2023YiR As you’ve probably seen by now, Talos released our 2023 Year in Review report last week. It’s an extremely comprehensive look at the top threats, attacker trends and malware families from the past year with never-before-seen Cisco Talos telemetry. We have podcasts, long-form videos and even Reddit AMAs to keep you covered and make it easy to digest our major takeaways from the report. Or, just kick back with a...
By Hazel Burton Thursday, December 14, 2023 07:21 2023YiR Year In Review The Talos Year in Review is available now and contains a wealth of insights about how the threat landscape has shifted in 2023. With new ransomware strains emerging from leaked source code, commodity loaders adding more reconnaissance measures to their belts, and geopolitical events influencing APT activity, there’s a lot to dissect.From a defender’s point of view, what does that mean heading into 2024? Do you need to consi...
Cyfirma
Published On : 2023-12-15 Share : Ransomware of the Week CYFIRMA Research and Advisory Team would like to highlight ransomware trends and insights gathered while monitoring various forums. This includes multiple – industries, geography, and technology – which could be relevant to your organization. Type: Ransomware. Target Technologies: MS Windows, Linux, VMware ESXi servers. Targeted Geography: Argentina, Austria, Belgium, Canada, China, Netherlands, Serbia, South Korea, Thailand, United Kingdo...
Deep Instinct
Conti was one of the most notable and well-documented threat groups. Learn about who they were, how they started, their notable successes, and ultimately, how they dissolved.Ransomware is big business. In 2023, the average data breach cost organizations $4.45 million, while the average ransomware attack cost $4.54 million. For threat actor groups, there’s profit to be made. The most successful ransomware groups feature sophisticated operational structures, running like a business with HR, financ...
Manuel Winkel at Deyda.net
Table of Contents ToggleFirmware UpdatesWork after the updateReview of the systemsFind out the time of the last updateEdited filesNew files (webshell)HTTP error log filesShell / Bash log filesLog filesEdited files with the setuid bitNobody processesCheck Crontab for new entriesNetScaler HA Systemscess-vpn log filesNPPE Core DumpsPerl & Python ScripteCrypto MinersCheck network and firewall logsCountermeasures for affected systems Citrix issued an alert (10/10/2023) about a critical vulnerability ...
Dragos
Dragos, Inc. Threats Share This LinkedIn Twitter Facebook Email RSS On November 9, 2023, Mandiant released new details from forensic investigations following a disruptive attack against Ukraine electric substation which started in June 2022 and culminated in two events on October 10 and 12, 2022. Dragos associates this activity with the ELECTRUM threat group (has technical overlaps with SANDWORM Advanced Persistent Threat (APT)). ELECTRUM is responsible for several cyber attacks on Ukrainian ele...
Amey Gat, Mark Robson, John Simmons, Ken Evans, Jared Betts, Angelo Cris Deveraturda, Hongkei Chan and Jayesh Zala at Fortinet
By Amey Gat, Mark Robson, John Simmons, Ken Evans, Jared Betts, Angelo Cris Deveraturda, Hongkei Chan and Jayesh Zala | December 13, 2023 Article Contents By Amey Gat, Mark Robson, John Simmons, Ken Evans, Jared Betts, Angelo Cris Deveraturda, Hongkei Chan and Jayesh Zala | December 13, 2023 Affected Platforms: Machines running vulnerable JetBrains TeamCity versions (before 2023.05.4, per vendor advice) Threat Type: Remote Code Execution Vulnerability Impact: Remote code execution for unauthenti...
FourCore
Written by SwapnilCo-founder @ FourCore Rhysida is a new player in the Ransomware space, first appearing in May 2023, and has been targeting industries all across the globe. In recent months, Rhysida has run campaigns compromising and extorting organizations from the government, education, healthcare, IT, and manufacturing sectors. Rhysida emerged in the Ransomware Space with a high-profile attack on the Chilean army. The group currently has more than 50 victims listed on its leak site. Rhysida ...
Written by Aarush AhujaCo-founder @ FourCore Attackers evolve fast and we need to do upskill our defenses and teams against them. Adversary Emulation is a way to mimic threats and build evidence of detection and response against threats. We are able to track the coverage and detections against potential threats in our environment. If you take a pentest and followe a specific threat-actor's tactics, techniques and procedures, that is emulation of the threat. There are various tools and projects t...
g0njxa
g0njxa·Follow6 min read·1 day ago--ListenShareConsider this the end of a series that lasted a few weeks. I tried to contact almost everyone related to the infostealer ecosystem, that I find relevant and interesting based on my thoughts. I hope this series helps people understand better what is happening on the malware threat landscape.Everyone was “approached” the same way, and was asked common and personalized questions:ПриветЯ независимый исследователь-любитель, интересующийся ворами информаци...
GreyNoise Labs
A new vulnerability in Apache Struts has emerged! Follow us as we take a new twist on reviewing a vulnerability writeup. vulnerabilities cybersecurity Author Remy Published December 12, 2023 In order to see CVE-2023-50164 in the wild, I expect that in the coming weeks, we will see research into vendor and product specific implementations leveraging Apache Struts2 in order to determine exactly what path must be traversed to in order to drop a web shell so that it can be called remotely through a ...
Grimoire Blueprints Resources GreyNoise Labs About GreyNoise Home Explore our data If Youâre Going to Spray My Exploit⦠(CVE-2022-41800) A look at whoâs trying to exploit CVE-2022-41800 in the wild - and how! f5 big-ip vulnerabilities honeypot cve cve-2023-41800 Author Ron Bowes Published December 13, 2023 Since itâs a day that ends in âyâ, rumors of a currently-unknown F5 BIG-IP 0-day for sale are floating around the internet. I donât know if itâs true or not, but at GreyNoise w...
Jason Baker at GuidePoint Security
Huntress
Previous Post Next Post Share on Twitter Share on LinkedIn Share on Facebook Share on Reddit The discipline of intelligence, particularly in the context of cyber operations, features a number of formal concepts and processes that may appear distracting or irrelevant to the practical needs of small to medium-sized businesses (SMBs). While intelligence requirements, including priority intelligence requirements (PIRs) and similar concepts, play a crucial role in national security, the conventional ...
Curling for Data: A Dive into a Threat Actor's Malicious TTPs Previous Post Share on Twitter Share on LinkedIn Share on Facebook Share on Reddit The Huntress agent was recently added to a new customer’s environment as a result of suspicious activity they’d become aware of, and not long after, Huntress SOC analysts alerted the customer to further malicious activity within their infrastructure. Investigating beyond the initial alerts, the Huntress team identified a novel and interesting set of tac...
Michael Zuckerman at Infoblox
DNS for Early Detection – LAZARUS KANDYKORNDecember 14, 2023Infoblox’s DNS Early Detection Program utilizes proprietary techniques to identify potentially malicious domains at the earliest opportunity. The program shares our recent analysis of malicious domains disclosed through public OSINT, contrasting it with our preliminary identification of these domains as suspicious. The need for speed is real. Threat actors have refined their techniques, causing most of the potential damage before malici...
Pierre Livet at Intrinsec
par Pierre Livet | Déc 13, 2023 | Non classifié(e), Red Teaming Cette publication est la partie 1 de 2 dans la série Kerberos OPSECKerberos OPSECKerberos OPSEC: Offense & Detection Strategies for Red and Blue Team – Part 1 : Kerberoasting Kerberos OPSEC: Offense & Detection Strategies for Red and Blue Team – Introduction We are starting a series of articles in which we share a summary of the OPSEC practices to be taken into account on the red team side, and the detection strategies that can be p...
Alanna Titterington at Kaspersky Lab
Solutions for:Home Products Small Business 1-50 employees Medium Business 51-999 employees Enterprise 1000+ employees Kaspersky official blog My Account My Kaspersky My Products / Subscriptions My Orders Products PREMIUM PROTECTIONKaspersky PremiumComplete protection for your devices, online privacy & identity ADVANCED PROTECTIONKaspersky PlusCombines security, performance & privacy features in one app STANDARD PROTECTIONKaspersky StandardEnhanced protection with device performance booster Priva...
KELA Cyber Threat Intelligence
KELA Cyber Intelligence Center Threat actors engage in active infiltration of corporate assets, extracting valuable information and distributing it on cybercrime forums for trade. Records like contact details, social security numbers, and credit card information are used for financial gain. Initial access vectors of cybercriminals can take various forms, such as exploiting vulnerabilities, deploying malware, conducting phishing attacks, leveraging compromised credentials, or employing other tact...
KELA Cyber Intelligence Center Following a cyberattack on December 12, 2023, Kyivstar, a major Ukrainian mobile network operator, faced a significant digital crisis. The incident has been discussed as one of the most powerful attacks on a telecommunication organization. Confusing claims surfaced from hacktivist groups like Killnet and its successor, Deanon Club, along with Solntsepek. In this blog, KELA dives into the details of the Kyivstar cyberattack, exploring the conflicting stories and the...
Koen Van Impe at MISP
- go to homepage Toggle Navigation Home Features Data Models Data Models MISP core format MISP taxonomies MISP Galaxy MISP Objects Default feeds Documentation Documentation Documentation OpenAPI Tools Support Contributing Research projects Research topics Legal License Legal and policy GDPR ISO/IEC 27010:2015 NISD Communities Download Events Upcoming events Past events Webinars Hackathon MISP Summit News Contact Reaching us Contact Us Press inquiries Professional Services Commercial Support Secu...
Lab52
December 11, 2023 The Lab52 team has analysed a cyber campaign in which attackers deploy a new variant of the PlugX malware. Both the infection chain and the various artefacts used in the cyberattack share multiple similarities with the SmugX campaign, attributed to threat actors Red Delta and Mustang Panda, allegedly linked to the Chinese government. This time, the actors deploy an MSI file on victim machines containing a legitimate executable (OneNotem.exe), a malicious DLL (msi.dll) and a DAT...
Lumen
Black Lotus Labs Posted On December 13, 2023 0 18.7K Views 0 Shares Share On Facebook Tweet It Executive Summary The Black Lotus Labs team at Lumen Technologies is tracking a small office/home office (SOHO) router botnet that forms a covert data transfer network for advanced threat actors. We are calling this the KV-botnet, based upon artifacts in the malware left by the authors. The botnet is comprised of two complementary activity clusters, our analysis reveals that this nexus has been active ...
Malwarebytes
Posted: December 13, 2023 by Threat Intelligence Team This article is based on research by Marcelo Rivero, Malwarebytes’ ransomware specialist, who monitors information published by ransomware gangs on their Dark Web sites. In this report, “known attacks” are those where the victim did not pay a ransom. This provides the best overall picture of ransomware activity, but the true number of attacks is far higher. In November there were 457 total ransomware victims, making it the most active month f...
Posted: December 14, 2023 by Mark Stockley The ALPHV ransomware gang, arguably the second most dangerous “big game” ransomware operator, appears to be back in business after its infrastructure went down for five days. But all does not appear to be going well for group. ALPHV’s dark web leak site may be back but it is only showing a single victim with no sign of any of the hundreds of others it normally lists. The solitary listing on the site is dated December 13, which is after the site was rest...
Mandiant
Blog FLOSS for Gophers and Crabs: Extracting Strings from Go and Rust ExecutablesArnav Kharbanda, Willi Ballenthin, Moritz Raabe Dec 13, 20238 min readReverse EngineeringFLAREMalwareThe evolving landscape of software development has introduced new programming languages like Go and Rust. Binaries compiled from these languages work differently to classic (C/C++) programs and challenge many conventional analysis tools. To support the static analysis of Go and Rust executables, FLOSS now extracts pr...
Blog Opening a Can of Whoop Ads: Detecting and Disrupting a Malvertising Campaign Distributing BackdoorsRyan Tomcik, Adrian McCabe, Rufus Brown, Geoff Ackerman Dec 14, 202321 min read | Last updated: Dec 15, 2023 MalwarebackdoorUncategorized Groups (UNC Groups)Managed DefenseEarlier this year, Mandiant’s Managed Defense threat hunting team identified an UNC2975 malicious advertising (“malvertising”) presented to users in sponsored search engine results and social media posts, consistent with act...
Microsoft Security
Your current User-Agent string appears to be from an automated process, if this is incorrect, please click this link:United States English Microsoft Homepage
MITRE-Engenuity
Suneel Sundar·FollowPublished inMITRE-Engenuity·9 min read·5 days ago--ListenShareWritten by Suneel Sundar.As we come to the end of 2023, we celebrate the Center’s biggest year yet. The Center has brought more participants into our collaborative R&D program, released more products, and scaled up our impact across threat-informed defense. Our best work comes when we enable innovation across the industry, and we do so across our three Key Problem Areas:Cyber Threat Intelligence: Increase the opera...
Tiffany Bergeron·FollowPublished inMITRE-Engenuity·5 min read·4 days ago--ListenShareWritten by Tiffany Bergeron and Lex Crumpton.Cyber defenders need information to identify and understand cyber incidents occurring in their environment. Various tools and services are available to collect system or network information, but it is not always clear how to use those tools to provide visibility into specific threats and adversarial behaviors occurring in their environment. To meet this need, the Cent...
Michael Gorelik at Morphisec
Posted by Michael Gorelik on December 13, 2023 Find me on: LinkedIn Twitter Tweet The Cybersecurity and Infrastructure Security Agency (CISA) recently sounded the alarm on the widespread exploitation of the Citrix Bleed vulnerability. This critical security flaw has had a significant impact across various industries in the United States, including credit unions and healthcare services, marking it as one of the most critical vulnerabilities of 2023. Its relatively straightforward buffer overflow ...
Nik Alleyne at ‘Security Nik’
Beginning Nikto - File Upload Vulnerability testing This post is part of the series of learning more about Nikto and web application scanning from the perspectives of both the hack and its detection. From the hacking perspective, Nikto is the tool used. From detection perspective, the tools and or processed used for the network forensics are log analysis, TShark, Zeek and Suricata. The Hack - Beginning Nikto - File Upload Vulnerability testingTrying a different scan by providing the entire URL┌─...
Beginning Nikto - SQL Injection with default evasion This post is part of the series of learning more about Nikto and web application scanning from the perspectives of both the hack and its detection. From the hacking perspective, Nikto is the tool used. From detection perspective, the tools and or processed used for the network forensics are log analysis, TShark, Zeek and Suricata.The Hack - SQL Injection with default evasion.┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_9] └─$ nikto -host /10.0....
Beginning Nikto - Command Execution / Remote Shell This post is part of the series of learning more about Nikto and web application scanning from the perspectives of both the hack and its detection. From the hacking perspective, Nikto is the tool used. From detection perspective, the tools and or processed used for the network forensics are log analysis, TShark, Zeek and Suricata.The Hack - Beginning Nikto - Command Execution / Remote Shell ┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_6] └─$ nikt...
Beginning Nikto - Remote File Retrieval with evasion type 4 -< Prepend long random string This post is part of the series of learning more about Nikto and web application scanning from the perspectives of both the hack and its detection. From the hacking perspective, Nikto is the tool used. From detection perspective, the tools and or processed used for the network forensics are log analysis, TShark, Zeek and Suricata.The Hack - Remote File Retrieval with evasion type 4 -< Prepend long random st...
Beginning Nikto - Injection (XSS/Script/HTML) - with evasion type 3 -< Premature URL ending This post is part of the series of learning more about Nikto and web application scanning from the perspectives of both the hack and its detection. From the hacking perspective, Nikto is the tool used. From detection perspective, the tools and or processed used for the network forensics are log analysis, TShark, Zeek and Suricata.Posts in this series:The hack - Testing for injection types of attacks.┌──(k...
Beginning Nikto - Information Disclosure with evasion type 2 -< Directory self-reference (/./) This post is part of the series of learning more about Nikto and web application scanning from the perspectives of both the hack and its detection. From the hacking perspective, Nikto is the tool used. From detection perspective, the tools and or processed used for the network forensics are log analysis, TShark, Zeek and Suricata.Other posts in this series:Hack - Leveraging the information disclosure w...
Beginning Nikto - Misconfiguration / Default File - with evasion type 1 -< Random URI encoding (non-UTF8) This post is part of the series of learning more about Nikto and web application scanning from the perspectives of both the hack and its detection. From the hacking perspective, Nikto is the tool used. From detection perspective, the tools and or processed used for the network forensics are log analysis, TShark, Zeek and Suricata.The Hack -Misconfiguration / Default File" with evasion type 1...
Beginning Nikto - Scanning for interesting files seen in the logs The idea of this series, is to use Nikto to learn about common vulnerabilities in web services. Once those vulnerabilities are identified, we will then attempt to exploit them where possible. As I work in a SOC, we have to be prepared to detect. As a result, we will analyze logs, packets (Tshark), IDS (Suricata) and Zeek data. This is all in the spirit of hack and detect.We will attempt to learn some of the different evasion techn...
Nisos
by Nisos | Dec 11, 2023 | Blog, Research Executive Summary Nisos investigators identified a number of online personas probably used by the Democratic People’s Republic of Korea (DPRK, a.k.a. North Korea) information technology (IT) workers to fraudulently obtain remote employment from unwitting companies in the United States. IT workers, like the ones identified, provide a critical stream of revenue that helps fund the DPRK regime’s highest economic and security priorities, such as its weapons d...
Dimitris Binichakis at NVISO Labs
Dimitris Binichakis PowerShell, Threat Hunting, Blue Team December 13, 2023December 12, 2023 5 Minutes Introduction Most modern day EDRs have some sort of feature which allows blue teamers to remotely connect to hosts with an EDR agent/sensor installed, to aid in their investigation of incidents. In CrowdStrike, this is called Real Time Response, and it provides a wide range of capabilities, from executing built-in commands like ipconfig and netstat to running your own PowerShell scripts. In thi...
Janos Szurdi, Shehroze Farooqi and Nabeel Mohamed at Palo Alto Networks
661 people reacted 11 13 min. read Share By Janos Szurdi, Shehroze Farooqi and Nabeel Mohamed December 15, 2023 at 3:00 PM Category: Malware Tags: Advanced URL Filtering, Cloud-Delivered Security Services, Cybercrime, DNS, DNS security, Malicious Domains, next-generation firewall, Phishing, Scams Executive Summary Malicious actors often acquire a large number of domain names (called stockpiled domains) at the same time or set up their infrastructure in an automated fashion. They do so, for examp...
Phylum
BackgroundToday’s security breach at Ledger, a leader in cryptocurrency hardware wallets, has raised significant alarms in the digital assets community. The breach was facilitated through a spear phishing attack on a former employee. Apparently, the goal of the phishing attempt was exfiltration of Ledger’s npmjs publishing credentials, which proved successful. For some reason, this former employee still had valid publishing creds and once obtained, the attacker used them to publish a malicious u...
Kelsey Merriman, Selena Larson, And Xavier Chambrier at Proofpoint
Security Brief: TA4557 Targets Recruiters Directly via Email Share with your network! December 12, 2023 Kelsey Merriman, Selena Larson, and Xavier Chambrier What happened Since at least October 2023, TA4557 began using a new technique of targeting recruiters with direct emails that ultimately lead to malware delivery. The initial emails are benign and express interest in an open role. If the target replies, the attack chain commences. Previously, throughout most of 2022 and 2023, TA4557 typicall...
Red Alert
Monthly Threat Actor Group Intelligence Report, October 2023 (KOR) 2023년 9월 21일에서 2023년 10월 20일까지 NSHC ThreatRecon팀에서 수집한 데이터와 정보를 바탕으로 분석한 해킹 그룹(Threat Actor Group)들의 활동을 요약 정리한 내용이다. 이번 10월에는 총 35개의 해킹 그룹들의 활동이 확인되었으며, SectorJ 그룹이 33%로 가장 많았으며, SectorA와 SectorB 그룹의 활동이 그 뒤를 이었다. 이번 10월에 발견된 해킹 그룹들의 해킹 활동은 정부 기관과 금융 분야에 종사하는 관계자 또는 시스템들을 대상으로 가장 많은 공격을 수행했으며, 지역별로는 유럽(Europe) 과 동아시아(East Asia)에 위치한 국가들을 대상으로 한 해킹 활동이 가장 많은 것으로 확인된다. 1. SectorA 그룹 활동 특징 2023년 10월에는 총 4개 해킹 그룹의 활동이 발견되었으며, 이들은 Se...
Laura Brosnan at Red Canary
Todd Thiemann at ReliaQuest
Resecurity
Exposing the Cyber-Extortion Trinity - BianLian, White Rabbit, and Mario Ransomware Gangs Spotted in a Joint Campaign Cyber Threat Intelligence 15 Dec 2023 Ransomware, Data Leak, Data Breach, Dark Web Based on a recent Digital Forensics & Incident Response (DFIR) engagement with a law enforcement agency (LEA) and one of the leading investment organizations in Singapore, Resecurity, Inc. (USA) has uncovered a meaningful link between three major ransomware groups. Resecurity’s HUNTER (HUMINT) unit...
Sunhyung Shim and Jaehak Oh at S2W Lab
S2W·FollowPublished inS2W BLOG·8 min read·3 days ago--ShareAuthor: Sunhyung Shim, Jaehak Oh | S2W MarketingPhoto by Mathew Schwartz on UnsplashExecutive Summary태국이 최근 다크웹/텔레그램 해킹 그룹들의 주요 타겟이 되며 태국을 언급하는 메시지나 컨텐츠가 작년 대비 2배 이상 증가함태국을 주로 언급한 해킹 그룹들은 캄보디아 해커들로 구성된 해킹 그룹 ‘NDT SEC’나 ‘Anonymous Cambodia’등으로 이들은 핵티비스트 해킹 그룹을 자처하고 있음 → 이들이 태국을 대상으로 사이버 공격 활동을 펼치는 배경에는 양국간 오랜 역사적 갈등이 있음이 그룹들은 주로 태국 정부 및 군사 기관, 금융 부문에 DDOS 공격을 가하거나 기밀 데이터를 탈취하여 유출하는 행위를 보임작년 대비, 다크웹 내 태국이 연루된 데이터 유출 사고는 24% 증가함’정부’ 및 ‘바이오/...
SANS
(Part 1) John Doyle Helping CTI Analysts Approach and Report on Emerging Technology Threats and Trends (Part 1) How to approach, research, and develop analytic assessments on emerging technologies and threat trends (Part 1) December 12, 2023 âThe human mind tends to see what it expects to see and to overlook the unexpected.Change often happens so gradually that we do not see it or we rationalize it as not being of fundamental importance until it is too obvious to ignore.Identification of indic...
Cloud Attacks: Whatâs Old is New â Part 1 Ryan Nicholson Cloud Attacks: Whatâs Old is New â Part 1 While cloud and on-prem infrastructure deployments differ greatly, many cloud attacks are similar to traditional on-prem attacks. December 12, 2023 The Cloud Threat LandscapeNew Environment, Same IssuesWhen migrating applications and services to a cloud environment, whether it be Infrastructure as a Service (IaaS), Platform as a Service (PaaS), or Software as a Service (SaaS), customers wil...
SANS Internet Storm Center
IPv4-mapped IPv6 Address Used For Obfuscation Published: 2023-12-09 Last Updated: 2023-12-12 15:17:28 UTC by Didier Stevens (Version: 1) 1 comment(s) A reader submitted an unusual URL: Notice the format of the hostname: ::ffff:a.b.c.d I had to look this up: this is a IPv4-mapped IPv6 address. It is a format to describe an IPv4 address using a IPv6 address format. From Wikipedia article on IPv6 addresses: ::ffff:0:0/96 ? This prefix is used for IPv6 transition mechanisms and designated as an IPv4...
Honeypots: From the Skeptical Beginner to the Tactical Enthusiast Published: 2023-12-10 Last Updated: 2023-12-10 20:00:58 UTC by Guy Bruneau (Version: 1) 0 comment(s) [This is a Guest Diary by Nicolas Haney, an ISC intern as part of the SANS.edu BACS program] Introduction When I began setting up the DShield honeypot on my network, I was hesitant and extremely nervous. There were a lot of firsts for me here. First time using a raspberry pi, first time setting up a honeypot, and first time using p...
Malicious Python Script with a TCL/TK GUI Published: 2023-12-13 Last Updated: 2023-12-13 09:22:12 UTC by Xavier Mertens (Version: 1) 0 comment(s) One essential behavior of malware is to remain "stealthy" and perform nasty activities below the radar. But sometimes, it can be attractive to interact with the victim to make it more confident and use the script (that's my guess). I found a malicious Python script that builds a window and displays it to the user. Python can create powerful GUIs with t...
T-shooting Terraform for DShield Honeypot in Azure [Guest Diary] Published: 2023-12-13 Last Updated: 2023-12-14 00:13:24 UTC by Guy Bruneau (Version: 1) 0 comment(s) [This is a Guest Diary by Michael Smith, an ISC intern as part of the SANS.edu BACS program] Introduction As part of the Internet Storm Center internship, we were tasked with setting up a DShield Honeypot on a Rasperry Pi at home [1]. For the device to function properly, it must be exposed to the internet with a publicly routable IP...
CSharp Payload Phoning to a CobaltStrike Server Published: 2023-12-15 Last Updated: 2023-12-15 09:08:24 UTC by Xavier Mertens (Version: 1) 0 comment(s) I found an interesting CSharp source code on VT a few days ago. Its score is only 3/59 (SHA256:5aebf1369b9b54cfc340f34fcc61a90872085a2833fd9bcf238f7c62a5c7620a)[1]. It has been a long time since I saw payloads ready to be compiled. I did some research on self-compiling malware in 2020[2]. I think the file was uploaded on VT to verify the detectio...
An Example of RocketMQ Exploit Scanner Published: 2023-12-16 Last Updated: 2023-12-16 06:31:05 UTC by Xavier Mertens (Version: 1) 0 comment(s) A few months ago, RocketMQ[1], a real-time message queue platform, suffered of a nasty vulnerability referred as CVE-2023-33246. I found another malicious script in the wild a few weeks ago that exploits this vulnerability. It has still today a very low VirusTotal detection score:2/60 [2] (SHA256:70710c630390dbf74a97162ab61aae78d3e18eacb41e16d3dd6bbd872fe...
Securelist
Malware reports 13 Dec 2023 minute read Table of Contents IntroductionFakeSGAkiraAMOSIndicators of compromise Authors GReAT Introduction The crimeware landscape is diverse. Cybercriminals try to capitalize on their victims in every possible way by distributing various types of malware designed for different platforms. In recent months, we have written private reports on a wide range of topics, such as new cross-platform ransomware, macOS stealers and malware distribution campaigns. In this artic...
Research 14 Dec 2023 minute read Table of Contents A new kind of networkA not-so-new attack vectorA new multiplatform implantA new communicationA new backdoor with RAT capabilitiesA new threatIndicators of compromise Authors Kaspersky GERT GReAT During an incident response performed by Kaspersky’s Global Emergency Response Team (GERT) and GReAT, we uncovered a novel multiplatform threat named “NKAbuse”. The malware utilizes NKN technology for data exchange between peers, functioning as a potent ...
Sekoia
Daniel Petri at Semperis
AD Security 101 Dec 05, 2023 Read 5 MIN Table of Contents What is MFA?What is MFA fatigue?What's the danger?How it worksMFA fatigue examplesFighting MFA fatigueBeat MFA fatigue Daniel Petri An MFA fatigue attack—also known as MFA bombing—is an attack tactic, technique, and procedure (TTP) in which a threat actor floods users with multifactor authentication (MFA) requests. By overwhelming, confusing, or distracting the user into approving a fraudulent request, attackers hope to gain access to you...
SentinelOne
Aleksandar Milenkoski / December 11, 2023 By Aleksandar Milenkoski, Bendik Hagen (PwC), and Microsoft Threat Intelligence Executive Summary The Sandman APT is likely associated with suspected China-based threat clusters known to use the KEYPLUG backdoor, in particular a cluster jointly presented by PwC and Microsoft at Labscon 2023 – STORM-0866/Red Dev 40. The Sandman’s Lua-based malware LuaDream and the KEYPLUG backdoor were observed co-existing in the same victim environments. Sandman and STOR...
December 13, 2023 by Jim Walter PDF The ransomware landscape is characterized by a heavy churn in both actor groups and malware families, with only a few players exhibiting relative longevity. Once feared threats such as REvil and Conti have either been dismantled or dissolved, while others – ALPHV, Black Basta and LockBit, for example – continue to extort businesses with impunity. To this second list we can also add Mallox (aka TargetCompany), a lesser-known but long-running ransomware threat f...
Aleksandar Milenkoski / December 14, 2023 Executive Summary Overlaps in targeting, malware characteristics, and long-term malware evolutions post 2018 suggest that the Gaza Cybergang sub-groups have likely been consolidating, possibly involving the establishment of internal and/or external malware supply lines. Gaza Cybergang has upgraded its malware arsenal with a backdoor that we track as Pierogi++, first used in 2022 and seen throughout 2023. Recent Gaza Cybergang activities show consistent t...
Simone Kraus
Robust Detection and Analytical Scoring countering Cy-X threat actor like RyhsidaSimone Kraus·FollowPublished inDetect FYI·12 min read·Dec 10--1ListenShareWhile it was a hypothesis just a few months ago, it has now been confirmed that the Cy-X threat actors of Rhysida are affiliates of the former ransomware group Vice Society.Our research team assessed the exact extent of this relationship and could actually follow one of the following hypotheses:Due to increased scrutiny from law enforcement, t...
Sophos
Sophos X-Ops explores the symbiotic – but often uneasy – relationship between ransomware gangs and the media, and how threat actors are increasingly seeking to wrest control of the narrative Written by Sophos X-Ops December 13, 2023 Threat Research 8base Akira ALPHV ransomware BlackCat CL0p Conti donut leaks dunghill leak featured Karakurt Lockbit losttrust media metaencryptor noname play ransomhouse Ransomware REvil rhysida ransomware Royal Snatch Sophos X-Ops Vice WormGPT Historically, threat ...
Splunk
Share: By Michael Haag December 13, 2023 Adversaries constantly seek new methods to breach endpoint security, making it essential to minimize potential points of attack, vigilantly monitor events, and regularly test defenses to confirm their effectiveness. This proactive approach ensures preparedness against evolving cyber threats. Enter Microsoft Defender Attack Surface Reduction (ASR), a frontline defense tool in the cybersecurity arsenal. Defender ASR plays an important role in reducing the a...
Share: By Tamara Chacon December 14, 2023 The recent SURGe in popularity of generative artificial intelligence tools has raised many questions around potential use cases in cybersecurity, both from an offensive and defensive point of view. Will chat-based AI-assistants provide more utility to attackers, or defenders? Security researchers have theorized that AI-assistants can improve the efficacy and the scale of spear phishing. Is it possible that this new technology could better enable attacker...
Denis Sinegubko at Sucuri
Taz Wake
Linux incident response - understanding stat Taz Wake on LinkedIn 117 1 Comment Like Comment Share Copy LinkedIn Facebook Twitter Pawan Bishwokarma, M.S. Network Security at Colorado Governor's Office of Information Technology 3d Report this comment Great description and use case die the stat command! Like Reply 1 Reaction 2 Reactions To view or add a comment, sign in More Relevant Posts Taz Wake Cyber security incident response | Threat hunting | Digital forensics | Certified SANS instructor & ...
Linux incident response - malicious timestamp manipulation Report this article Taz Wake Taz Wake Cyber security incident response | Threat hunting | Digital forensics | Certified SANS instructor & course author | I am not looking for any new certification training... Published Dec 12, 2023 + Follow IntroductionTimestamp manipulation, a tactic often used by attackers to conceal their activities, involves altering file and system timestamps. It has been used maliciously pretty much since the dawn ...
Steven Erwin at TrustedSec
December 14, 2023 Unmasking Business Email Compromise: Safeguarding Organizations in the Digital Age Written by Steven Erwin Incident Response Office 365 Security Assessment Business Email Compromises (BEC) within the Microsoft 365 environment are a large threat with nearly $500 Million reported in stolen funds in 2022[1]. Attackers are targeting both company and personal email accounts. It’s important to understand how attackers are accessing mailboxes and learn the best ways to protect yoursel...
Pancho Perdomo at VirusTotal
Protecting the perimeter with VT Intelligence - Em... VTMondays ► November 2023 (3) ► October 2023 (2) ► September 2023 (1) ► August 2023 (2) ► July 2023 (5) ► June 2023 (5) ► May 2023 (3) ► April 2023 (3) ► March 2023 (2) ► February 2023 (2) ► January 2023 (2) ► 2022 (23) ► December 2022 (1) ► November 2022 (6) ► October 2022 (1) ► September 2022 (1) ► August 2022 (3) ► July 2022 (1) ► May 2022 (1) ► April 2022 (2) ► March 2022 (3) ► February 2022 (2) ► January 2022 (2) ► 2021 (19) ► December 2...
► November 2023 (3) ► October 2023 (2) ► September 2023 (1) ► August 2023 (2) ► July 2023 (5) ► June 2023 (5) ► May 2023 (3) ► April 2023 (3) ► March 2023 (2) ► February 2023 (2) ► January 2023 (2) ► 2022 (23) ► December 2022 (1) ► November 2022 (6) ► October 2022 (1) ► September 2022 (1) ► August 2022 (3) ► July 2022 (1) ► May 2022 (1) ► April 2022 (2) ► March 2022 (3) ► February 2022 (2) ► January 2022 (2) ► 2021 (19) ► December 2021 (2) ► November 2021 (4) ► October 2021 (3) ► September 2021 ...
YUCA
YUCA·Follow7 min read·4 days ago--ListenShareTLDR;Team R70 is a Yemen-based group and is hypothesized to be operating independently from Yemen’s Houthi faction.Strong collaboration and recognition from Malaysian/Indonesian Hacking groups.Attacks first began with Distributed Denial of Service (DDOS) but shifted into more web defacement attacksTop targeted entities include Brazil, Israel, and Sweden.Who is Team R70?The hacktivist group, founded on December 23, 2022, as indicated by their initial T...
Deepen Desai and Rohit Hegde at ZScaler
DEEPEN DESAI, ROHIT HEGDEDecember 14, 2023 - 6 min read Threatlabz ResearchContentsIntroductionEncrypted Attacks85.9% of Attacks are Encrypted78.1% of Encrypted Threats Involve MalwarePhishing Increased by 13.7%Manufacturing Still the Most Targeted SectorZscaler Secures Organizations Against Encrypted Attacks at ScaleHow Zscaler Helps Mitigate Encrypted AttacksBest Practices for Mitigating Encrypted AttacksBest Practices for Safe AI/ML InteractionsLearn MoreMore blogsCopy URLCopy URLIntroduction...
